Beware! New Exploit On Android Tricks Users Into Recording Screen Content Without Consent

Android is one of the most popular mobile OS of our times, which makes it vulnerable to security hacks. Today, a new exploit has been discovered by MWR InfoSecurity that targets Android versions ranging from Android 5.0 Lollipop to Android 7.1 Nougat. This exploit tricks users into recording their screen without knowledge. In simple terms, your mobile screen content is being secretly recorded, and you may be having no idea about it.

According to a report published by MWR InfoSecurity, the exploit involves Android’s MediaProjection framework that was launched with Android 5.0 Lollipop. It offered developers ability to record phone’s screen alongside system audio. In previous Android versions, the screen recording apps were required to run with root prerogatives or signed with special keys, but with Lollipop and versions that came after that, developers had access to the screen capturing feature without any root permissions.

Generally, apps that use the MediaProjection framework request permission to the service on purpose, which Android offers to users as a SystemUI pop-up. However, MWR InfoSecurity found out that attackers can easily overlay SystemUI pop-up with a camouflage that tricks users into granting the app with screen-recording permissions. This becomes possible due to the inability of Android versions newer than Lollipop to detect screen overlays or fake SystemUI pop-ups.

Android 8.0 Oreo users are safe!

The report states that Google patched this vulnerability in Android 8.0 Oreo, but as most of the Android devices are not running Oreo, the threat still persists and can affect the majority of users. As per Android Distribution Chart (October), approximately 77.5% of active Android devices are running on Android versions between 5.0 to 7.1.

As of now, there is no short fix for this security loophole. However, in the meantime, Android developers can save users by enabling FLAG_SECURE layout parameter in their application’s WindowManager. It will ensure that the content of the app window is prevented from appearing in screenshots or being subjected to viewing on non-secure screens.

In a blog post, MWR InfoSecurity states that the attack is not undetectable:

When an application gains access to the MediaProjection Service, it generates a Virtual Display which activates the screencast icon in the notification bar. Should users see a screencast icon in their devices notification bar, they should investigate the application/process currently running on their devices.

In the meantime, we would implore our readers to be careful when installing new applications. It is best to avoid apps that are not reliable.